https://community.cisco.com/t5/network-security/firepower-how-to-block-traffic-from-pcs-running-windows-xp/m-p/3185028#M1066088 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/178747">@Flavio Miranda</a>,</P> <P>I don't see how a URL rule can block traffic base on initiator operating system.</P> <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/289964">@cisco</a>,</P> <P>I haven't done this and Firepower doesn't&nbsp;make it easy but I believe you can use a Correlation Policy. You have to build a traffic profile and then a rule and finally a correlation policy that uses those building blocks and assign&nbsp;an action (i.e. Blacklist). However, Firepower has to be in a location to see the traffic with enough detail to authoritatively identify the OS. That can be problematic.</P> <P>&nbsp;</P> <P>This sort of thing can be done better and more easily with Cisco ISE as its built-in profiling&nbsp;(a Plus license feature) is much more precise. It can then assign a downloadable&nbsp;ACL (DACL) dynamically to prevent Internet access while allowing all other internal access at the switchport (or Wireless client) level.</P> <P>&nbsp;</P> Sat, 16 Sep 2017 15:10:39 GMT Marvin Rhoads 2017-09-16T15:10:39Z https://community.cisco.com/t5/network-security/firepower-how-to-block-traffic-from-pcs-running-windows-xp/m-p/3184589#M1066086 <P>Hi,</P><P>&nbsp;</P><P>I have a ASA 5525-X with Firepower. We still have some computers in our networks running Windows XP and I would like to block Internet-traffic from these computers. Of course I can maintain the IP-addresses in an access-list and block the traffic that way, but is it possible to do this more dynamic by using Firepower?</P><P>&nbsp;</P><P>Best regards,</P><P>Thor-Egil Ekeli</P> Fri, 21 Feb 2020 14:18:32 GMT https://community.cisco.com/t5/network-security/firepower-how-to-block-traffic-from-pcs-running-windows-xp/m-p/3184589#M1066086 cisco 2020-02-21T14:18:32Z https://community.cisco.com/t5/network-security/firepower-how-to-block-traffic-from-pcs-running-windows-xp/m-p/3184707#M1066087 <P>Hello,</P><P>&nbsp;</P><P>&nbsp;Sure it is. Follows the steps:</P><P>1-Configure URL objects/group under Object &gt; Object Management<BR />2-Create rule under Access Control policy calling the URL object created<BR />3-Deploy the policy on the targe device.</P> Fri, 15 Sep 2017 14:20:07 GMT https://community.cisco.com/t5/network-security/firepower-how-to-block-traffic-from-pcs-running-windows-xp/m-p/3184707#M1066087 Flavio Miranda 2017-09-15T14:20:07Z https://community.cisco.com/t5/network-security/firepower-how-to-block-traffic-from-pcs-running-windows-xp/m-p/3185028#M1066088 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/178747">@Flavio Miranda</a>,</P> <P>I don't see how a URL rule can block traffic base on initiator operating system.</P> <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/289964">@cisco</a>,</P> <P>I haven't done this and Firepower doesn't&nbsp;make it easy but I believe you can use a Correlation Policy. You have to build a traffic profile and then a rule and finally a correlation policy that uses those building blocks and assign&nbsp;an action (i.e. Blacklist). However, Firepower has to be in a location to see the traffic with enough detail to authoritatively identify the OS. That can be problematic.</P> <P>&nbsp;</P> <P>This sort of thing can be done better and more easily with Cisco ISE as its built-in profiling&nbsp;(a Plus license feature) is much more precise. It can then assign a downloadable&nbsp;ACL (DACL) dynamically to prevent Internet access while allowing all other internal access at the switchport (or Wireless client) level.</P> <P>&nbsp;</P> Sat, 16 Sep 2017 15:10:39 GMT https://community.cisco.com/t5/network-security/firepower-how-to-block-traffic-from-pcs-running-windows-xp/m-p/3185028#M1066088 Marvin Rhoads 2017-09-16T15:10:39Z